BA sale

The lawsuit against BA for the 2018 data breach is approved – should you join in?

Links on Head for Points may pay us an affiliate commission. A list of partners is here.

If you were impacted by the British Airways data breach last year, things are starting to get interesting.

Between June (not from 21st August, as BA originally reported) and 5th September 2018, the data of people making a transaction at ba.com or BA Holidays was compromised and passed to an unknown third party.

BA originally stated that the following data was shared:

  • email address
  • postal address
  • credit card number
  • expiration data
  • CVV

….. but this was later found to also include log in and travel booking details as well name and address information.

Passport and frequent flyer data was not compromised as that is not transmitted during the payment process.

500,000 people were impacted by the breach.  If you were included, you will have received various emails from British Airways last year.

The Information Commissioner’s Office (ICO) was not impressed, and in July 2019 it proposed a fine of £183 million.  See the ICO’s statement here.  The final sum will be confirmed following representations from all parties involved.

It was the first major fine to be imposed under the new General Data Protection Regulation (GDPR).  In some ways BA got off lightly as the maximum fine is 4% of turnover – BA was fined 1.5%.

The £183m is not going to impacted customers, however.  It is divided up between the various European data authorities, with the UK share going directly to the Treasury.

British Airways data breach claim

But you can now make your own claim ….

You may have seen advertisements popping up over the last year from various law firms who are proposing to take legal action against British Airways.

It was not sure if this action could proceed.  However, last week, Mr Justice Warby granted a group litigation order.

There is no rush to move forward.  Justice Warby granted a 15 month period for flyers to sign up to the litigation, so the cut-off will be, give or take, 31st December 2020.

I was surprised to see that the number of people who have signed up so far is very low.  The largest litigation group has signed up just 5,000 people.  Given that Head for Points has around 40,000 readers on an average day, if you include our email readers, and is visited from over 350,000 unique devices per month, the law firms haven’t made much impact.

What I don’t understand, to be honest, is how a group litigation order works.  Does the Court award a flat amount – irrespective of the number of people in the claim – or is the award a flat sum per claimant?

If it is the former, then you might as well pile in – it won’t make any difference to how much British Airways pays out and you may as well get your share.  If it is the latter, you need to decide whether you are happy being directly responsible for taking a few thousands pounds off British Airways – although if BA has the right insurance, it won’t be paying out directly.

I recommend you sit tight for nowYou have 15 months to join the legal action, or not.  We will try to speak to some of the law firms involved – and a few lawyers who are not – to bring you a view on whether it is worth joining the action or not.  Both my wife and I are impacted but have not signed up with any legal group so far.

Following Mr Justice Warby’s decision on Friday, however, the action is well placed to go ahead.

Bits: get double Club Eurostar points, Hyatt opens in Dublin, 80% IHG buy points bonus
What are the best hotel promos for October?
Click here to join the 14,000 people on our email list and receive the latest Avios, miles and points news by 6am.

Hilton India and SEA sale
Amazon ad
BA sale
About Head for Points

We help business and leisure travellers maximise their Avios, frequent flyer miles and hotel loyalty points. Visit every day for three new articles or sign up for our FREE emails via this page or the box to your right.

Comments

  1. I paid for award flight fees with my BA Amex card during the affected period.
    This was done during my BA Amex card ‘lock-out’ period (usually Nov to June – after I’ve earned my 2-4-1 voucher I specifically don’t use it apart from BA charges).
    I then received a text from Amex to call them – my BA Amex card had attempts to be used for two expenditures in the USA. Amex had picked it up straight away and denied both transactions (or so they say), blocked the card and were sending out new card(s). (No transactions appeared on my next Amex statement.
    I thought that Amex were top class for stopping the transactions as I fly about everywhere !!

    This might sound a bit OTT but is there a risk that myself sitting on ~1 million BAEC Avios then join the action and somehow BA close my account ??

    • Possible.

    • the_real_a says:

      This happened to Nationwide customers who won an Ombudsman ruling a few years ago. Nationwide paid the due compensation and then closed the accounts regardless if they wanted to continue banking with them or not.

      • Shoestring says:
      • And what was the reason for their closing of the account? I imagine no one complained so Nationwide got away. I doubt BA wants to test their T&C in court, especially if you have award and cash bookings paid for by any credit card.. If they closed your account your award booking on which taxes were paid by credit card would be cancelled too which would invoke claims and could prove costly for BA as credit card companies would go after them.

        • the_real_a says:

          For commercial reasons. No-one can force a company to do business with anyone. Nationwide took the decision not to do business for life with anyone that won the Ombudsman case in this particular occasion.

          Its always worth remembering the extremely weak position a consumer is in with regards to the protection of points/miles.

          • Will the powers of BA stretch as far as Iberia if one moves their precious Avios there through “Combine my Avios” feature?

          • Shoestring says:

            Not as things stand – IAG makes a big thing of running them as separate companies in various respects. There was no clawing back of the IB90K cheap Avios moved to BAEC for safe-keeping. Ring-fenced.

            The one thing that might change that could be the mooted single Avios platform (which seems to have gone away for now).

          • You would agree that since for example you hold an Avios booking or a cash booking with BA for which you used a credit card or if you have earned a 241 voucher from Amex spend there would be a case for further pursuit of damages. If BA decided to close your account meaning you would loose your voucher in it, your flight bookings, your Avios earned through credit card spend due to the fact that you rightly won a claim, it would be seen vexatious and the court will most likely award you further damages. Not to mention the fact that the credit card you used for bookings, or earning Avios wouldb be liable to put you whole.

            I seriously doubt BA will want to test points/miles T&C in court.

          • The single Avios platform is not happening. Legal issues about Avios ownership… in Spain.

          • Lady London says:

            Surely the law protects people whose rights are violated by a company, from that company punishing them? British Airways has already been found to be guilty of violations by the authorities to the extent that a fine of £183 million has been mentioned. So how is that company then allowed to punish the customers whose rights were violated?

    • Lady London says:

      Employees would be protected by UK legislation from being punished by their employer for whistle-blowing.

      Isn’t this the same? is there no protection in a supplier-customer relationship, against potential victimisation by British Airways, by customers British Airways has wronged – which I am sure will be proven by court judgment?

      Something sounds immoral, that customers with just cause for grievance should be persecuted by a supplier that has been found out to be violating a statute covering the security of those customers’ data.

  2. Does this also apply to BA reward booking made on avios.com within the mentioned period. No fraud email from BA either, but did have an Amex fraud alert on the same card a month later!

  3. jim macneilage says:

    i flew several times during the dates mentioned – have not heard anything from BA, checked with similar colleagues – same thing, not a word from BA ?

    • It doesn’t matter whether you flew with them during that period, what matters is whether you made a purchase online at BA.com (cash ticket or redemption) during that time, as that is when transactions were intercepted. Someone posted a link earlier about how the Magecart exploit works – that probably explains in more detail.

      • Just to clarify as I only called out cash tickets and redemptions – it won’t just have been these.
        Think of it like one of those skimming devices at an ATM. Any transaction on BA.com where you input your payment details and purchased (so even a seat booking) would be compromised too!

        • Lady London says:

          The hackers got the code from the card and not just the card numbers and so that hints to live interception of the data having taken place. Either that, or the code, which is not supposed to be stored by the seller (in this case BA) was in fact being stored when it is not supposed to be.

    • Shoestring says:

      I think it’s ticket purchase date that counts, not flying date

      were they booked direct or corporate?

  4. Shoestring says:

    fwiw I’m waiting/ holding fire on this one

    we’ve missed the boat on one thing – one of the law firms was initially offering 100% of the settlement to the client, now 65% – but I can’t see any other rush, particularly if you have a few BAEC avios to worry about if BA plays nasty 🙂

  5. Is there any evidence that anyone has actually lost out from this breach ?

    • Shoestring says:

      it’s pretty inconvenient to have to change your card & of course there’s genuine stress in some people if they worry about compromised cards

      Amex reassured everybody early on that they wouldn’t lose out on a BA data breach fraud, so I slept easy, sure 🙂

      in answer £££ terms to your question: yes, plenty of people saw card fraud occur and have linked it in their own minds with the BA data breach

    • Plenty of people who suffered problems with cards in the aftermath. If you mean ‘can anyone show a screenshot from the dark web of an ad saying ‘500,000 BA customer credit card numbers for sale’ and then proof that it was purchased’, then the answer is no. And that is standard of proof BA wants before it stops saying ‘we have no proof of any fraud’.

      Lloyds was saying the same thing, remember, when literally hundreds of Lloyds Amex customers had fraudulent transactions in the same week in the US.

      • I received one of those blackmail emails saying they know I had been watching porn as they had filmed it etc etc and would publish it if I didn’t pay a set amount of bitcoin.

        Their proof was my email address and a password that I only ever used on BA.com

    • the_real_a says:

      Its virtually impossible to prove line of sight to losses in these kind of events. Details are bought and sold in dark places across several jurisdictions several times over – this is why data commissioners are now basing fines at the point of breach rather than proven loss.

  6. It would be interesting to see if the UK government would bail BA out if it finds itself on the brink of going under (whether as a consequence of this litigation or a massive passenger boycott because of non-reclining seats on long-haul flights). I sincerely hope that it would not…

    • Lady London says:

      No they wouldn’t.

      But in the case of several European countries, yes they would bail out the airline in similar circumstances. Look at the gymnastics done by government and/or proxy: local government, to protect the operations of Thomas Cook in some particular European countries…..

  7. Jon Connell says:

    BA’s security hole leaked my BA Amex card details. Amex and BA both communicated clearly, I’ve not needed to change my Amex card and have not suffered any fraud. Maybe I am lucky but I have no loss and personally I think it immoral to go chasing them with dodgy legal firms when they have already been fined for the breach.

    • Some of them are not dodgy. Those that claim people are going to get £6k are! You’re forgetting the hassle of changing the card on Paypal, subscriptions, etc. let alone waiting on the phone to cancel the card! BA could have so easily resolved this much better by offering a few Avios or credit voucher along with protect my id subscription…

  8. Marion Lowry says:

    Hello.. I’m from Ireland and my Visa card was comprised…
    I had to cancel my card and as I was travelling abroad the following week it was touch and go if the new one would arrive and it did.
    The above article is the first I have heard about a lawsuit..
    What do people advise I should do?
    TIA
    Marion

    • Sit and wait until we get a clearer picture of what joining the lawsuit would involve. You’ve got 15 months to join so no rush.

  9. OT – I spent £10k on the standard BA card, upgraded to the BAPP card and got the 2-4-1 voucher. Voucher is only valid for 12 months though. Noticed a message on the email which i’ve never seen before ‘If you have recently upgraded your British Airways American Express® Credit Card and are experiencing issues regarding the Companion Voucher validity period, please call American Express.’

    Change in policy maybe?

  10. I made reward bookings on 5th June 2018 but cant see where it says this period was affected on ba site as others have mentioned??

  11. If I made 2 separate bookings during the period in question using two different cards does that mean I could potentially join the action twice?

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Please click here to read our data protection policy before submitting your comment.